Cloud Security

Is my data secure?

General

As a software security provider, RIPS Technologies is commited to providing a highly secure and reliable software. Our cloud service is hosted on Amazon Web Services (AWS), which is compliant with a wide variety of industry-accepted security standards. Additionally, our engineers utilize proven and state-of-the-art security technologies and techniques in order to protect all systems, data, and information from unauthorized access in the best possible way.

If you have any questions or need additional information, please write to .
For encrypted email communication, you can use our PGP key.


What data is stored?

RIPS stores the following general customer data that is necessary for the purposes of its analysis service:

  • Account name
  • License terms
  • Email address

For each analyzed application, the following customer data is stored:

  • Project name
  • Analyses settings
  • Analyses timestamps
  • Login timestamps
  • Number of issues, files, functions, and lines of code
  • Names and line numbers of files and functions.

For each detected security issue, the following data is stored:

  • Vulnerability type
  • Minimum set of affected code lines (code summary)
  • Reconstructed markup strings
  • Reviews and comments

If not opted-out before a new scan, the analyzed source code files are stored in order to reference a detected security issue to its original code lines for an efficient review.
When opted-out, the source code files are not permanently stored on our servers. In this case, the code is securely transmitted and parsed by an isolated analysis instance that is deleted together with the code after the analysis completed.

RIPS Technologies does not store bank information or credit card data.


Where is my data stored?

For data storage, analysis, and backups, RIPS utilizes the preexisting Amazon AWS cloud infrastructure and therefore shares several AWS standards and accreditations. All virtualized servers are run in the EU region Frankfurt, Germany.

Among others, Amazon AWS is certified by the following security compliance standards:

Reference: Amazon Security Bulletins


Who has access to my data?

  • RIPS Technologies does not share customer data with third parties.
  • Administrative access to customer data is restricted to a small number of closely managed RIPS Technologies administrators.
  • Access to production systems and data follows the security standard of Least Privilege.
  • For debugging purposes, access to affected code lines of an issue can be granted in accordance with the respective customer but never to the complete source code.

How is my data protected?

 Network Security

  • All traffic from and to the cloud service is encrypted using the SSL/TLS protocol.
  • We enforce the usage of strong TLS ciphersuites.
  • Data within our infrastructure is transmitted via VPNs.
  • All systems are firewalled to a minimal number of access points.

 Account Security

  • An account owner can access his separated account data by using his private password.
  • We enforce a strong password policy.
  • Session keys are encrypted using AES-256.
  • The encryption key is rotated within 24h.
  • Passwords are stored hashed and salted (bcrypt).
  • We use secure and httpOnly cookies, as well as a content security policy (CSP).
  • Access to an account is logged, tracked and audited.

 System Security

  • All operating systems are maintained according to best practices in the industry.
  • All recommended patch levels are applied.
  • Unneccessary users, services, and components are disabled.
  • All systems are constantly monitored.

 Secure Data Storage

  • Data is stored on a virtualized server on Amazon AWS.
  • Source code is stored encrypted using AES-256.
  • Code analysis is performed with an isolated and virtual instance that is destroyed after analysis.

Can I delete my data and what happens exactly?

When your cloud account expires, all associated data is deleted within 30 days automatically.
Anonymized data, such as number of projects, issues, files, and lines, is kept for statistics.
The following options are available to safely erase specific data from our servers at any time:

Account Delete
When you delete your account, all associated data is permanently deleted.
This includes all projects, source code files, issues, reviews, and comments.

Project Delete
When you delete a specific project, all associated data of this project is permanently deleted.
This includes all source code files, issues, reviews, and comments.

Issue Delete
When you delete a specific issue, all associated data of this issue is permanently deleted.
This includes the code summary, reconstructed markup strings, reviews, and comments.
No source code files are deleted at this point.

Code Delete
When you delete the code of a specific project, all associated source code files are permanently deleted.
Code summaries of the detected security issues remain in the database at this point.